onionroutingfandomcom-20200213-history
Routing of an Onion
__TOC__Instead of making a direct connection to a destination machine such as a webserver, a system utilizing onion routing will make connections through onion routers. These nodes have access to nothing more than the previous and next nodes to send information to, making eavesdropping impossible. This even applies to any routing node that may be monitoring traffic going through it. As the data uses multiple layers of public key encryption it will appear to be different at every node and therefore is impossible to track it with anything less than total control of all of the random nodes the message is directed through. Even then picking out the one message you wish to trace from the many messages that are sent across the links is nearly impossible, requiring a statistical analysis to determine which onions originate from a certain host. 'Connecting to the Onion Routing Network' When a client wishes to anonymously send data to the onion network they connect to an onion proxy, which formats the data in a way that onion routing nodes can understand. It is in this stage of the process that the proxy determines which nodes to send the onion to and then encrypts the data with those nodes' public keys, forming an onion. From here the onion is passed to an entry funnel, a specially configured routing node that accepts traffic into the onion network. From here data is sent through the network with one stage of decryption being removed each hop, until it finally reac hes the exit funnel. This is the onions exit point from the anonymous network, and it continues to its destination as a standard message. Inter-Node Connections Onion routing nodes are connected via a series of static socket connections. This means that any one node can only send to a certain number of other nodes, much like in traditional routing where a router has a statically defined routing table. These static connections are multiplexed, meaning that many users can 'borrow' a portion of the connection to create a virtual circuit for the duration of their connection. This specialized type of routing (selection of the next onion routing node to forward traffic to based on the next hop address contained in the onion) occurs at the application layer. Nodes are still dependent on IP for transmission of data across the internet and TCP for guaranteeing delivery of data. It is in this application layer information that the IP addresses of the onion routers to be traversed are stored. When a node obtains an onion it strips away its outermost layer, obtains the next hops IP information and then creates a new packet, setting its destination IP to the address it just obtained. During creation of this packet the node sets its own IP as the source IP, making anonymity possible and making it impossible to track a message as it moves across the network, as both source and destination IP change with every hop. When the onion reaches the exit funnel of the onion network the messages source IP is set to that of the exit funnel and it is sent on its way as a normal packet, but with its destination appearing to come from the exit node of the routing network, not the true original host. Below: an example of a message sent through an Onion Routing Network. 'Exit Funnels' An exit funnel is the last node an onion traverses on an onion network, and is the last hop where the onion architecture actually exists, as there is no more encryption or anonymity provided by the onion architecture after this point. After being forwarded from the exit node the original message functions as any other would on its way to its intended destination. However, the exit funnel sets the source IP to its own IP in the message. This causes the end host to send traffic back to the exit node instead of the original host, preserving anonymity. The exit funnel also serves as a sort of entry funnel to an onion routing network as well, as it takes the non-encrypted data the destination host is replying to the source with and inserts it into the return onion to be sent back across the onion routing network. Category:Technical